Introduction
to Policies
IAM (Identity and Access Management) in AWS helps manage access
to resources. It involves creating policies that define permissions for
users and roles. There are two main policy types: Inline (attached to
a single user/role) and Managed (reusable across multiple
users/roles).
Types of Policies: Inline Policy and
Managed Policy
Inline Policy
An inline policy is a policy that is embedded directly within
a user, group, or role. It is unique to that specific identity
and is not reusable across multiple identities.
Managed Policy
A managed policy is a standalone policy that can be
attached to multiple users, groups, and roles. This makes it
easier to manage and maintain permissions across your
organization.
Permissions in IAM
1
Allow
Permissions that grant access to perform specific actions on
AWS resources.
2
Deny
Permissions that explicitly deny access to perform specific
actions on AWS resources.
3
Condition
Permissions that can be applied with specific conditions, such
as time of day or source IP address.
IAM Policies:
IAM (Identity and Access Management) policies in AWS are defined using JSON format. These policies specify the actions
that users, groups, or roles are allowed or denied to perform on AWS resources. Let's examine an example policy that
grants read-only access to an S3 bucket.
Example Policy: Allowing S3 Read-Only Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
Version: Defines the policy language version, e.g., "2012-10-17".
Statement: Contains one or more policy statements.
Effect: Specifies whether access is allowed or denied (e.g., "Allow").
Action: Lists allowed or denied actions (e.g., "s3:GetObject" to download and "s3:ListBucket" to list objects).
Resource: Defines the AWS resources the actions apply to (e.g., "arn:aws:s3:::example-bucket" for the bucket
and "arn:aws:s3:::example-bucket/*" for its objects).
Role-Based Access Control (RBAC)
What are Roles?
Defined sets of permissions that can be assigned to users or groups.
Define Roles: Create specific roles with predetermined permissions to access AWS resources.
Attach Policies: Attach IAM policies to the roles to define the allowed actions on the resources.
Assign Roles: Assign the roles to users, applications, or services, allowing them to assume the permissions.
In a real-world example, you can create a role with permissions to access an S3 bucket, attach a policy that allows actions
like s3:GetObject, and then assign that role to an EC2 instance running your application. This way, the application can
access the S3 bucket without the need to manage individual user credentials.
Cloud Shell
Instant Access
Cloud Shell provides instant access to a browser-based shell,
eliminating the need for local setup and configuration.
Pre-Installed Tools
Cloud Shell comes pre-installed with a variety of tools and
utilities, making it a powerful and convenient command-line
environment.
Persistent Storage
Cloud Shell offers persistent storage, allowing you to save your
work and access it from any location.
Creating a User
using Cloud Shell
1
Open Cloud Shell
Access the AWS Cloud Shell from the management
console.
2
Create User
Use the aws iam create-user command to create a new
IAM user with the desired username.
3
Access Key
To create access key for the user use this command:
aws iam create-access-key --user-name new-user
4
Verify User
Confirm the new user's creation and check their access
credentials.
aws iam list-users
Best Practices for IAM
1
Least Privilege
Grant only the necessary permissions for users and roles
to perform their required tasks.
2
Enforce MFA
Require multi-factor authentication (MFA) for all IAM users
to enhance security.
3
Regularly Review
Regularly review and update IAM policies to ensure they
remain relevant and secure.
A Real-World Example
User: Sales Analyst Permissions: Read-only access to sales data and reports
User: Marketing Manager Permissions: Create and manage marketing campaigns,
access to relevant customer data
Role: IT Administrator Permissions: Manage IAM policies, create and delete users,
monitor cloud infrastructure
Conclusion
IAM is a powerful tool for securing your cloud environment by managing user identities and controlling access to resources. By
understanding the different types of policies, permissions, and RBAC concepts, you can effectively implement a robust IAM
strategy to protect your organization's data and assets.